Embed Size (px)
Citation preview
2/1/2016 Passwords: So Important, Yet So Misused | Passwords
http://www.informit.com/articles/printerfriendly/1338067 1/5
Passwords: So Important, Yet SoMisusedBy John Traenkenschuh
Date: May 1, 2009
Return to the article
President Obama's Twitter account was compromised because of a simplistic securityfailure on the Twitter website. Sarah Palin's Yahoo! account was compromisedbecause of the growing security interdependence among too many websites.Microsoft MVP and CISSP‐ISSAP John Traenkenschuh illustrates basic password bestpractices, pointing out the new problems that Web 2.0 brings to all of us, not justimportant politicians.
Early in 2009, Americans were surprised to discover that several famous Twitter accounts werecompromised, including President Obama's and Britney Spears'. Even more surprising was the simpletrick used to gain access to these accounts: a simple password‐guessing scheme. Like so many otheremerging social networking sites, Twitter failed to provide even the simplest password‐protectiontechniques, such as locking an account and resetting the session if multiple incorrect passwords areentered.
In this article, I'll refresh your knowledge about passwords and show you how to use them better. Afterreading this article, you'll know at least a little more about password safety:
What constitutes basic password protectionsThe mathematics behind password‐guessing schemes—so you can choose more effectivepasswordsHow to apply what you've learned about passwords—and avoid becoming a chump member ofsome unsecured website
Passwords
We're still discussing passwords in 2009?! A decade ago, I thought by now we'd all be using fingerprints,digital certificates, or retinal scans of some kind. Instead, we're still primarily using passwords, a secretcombination of keyboard characters that uniquely identifies the user as that specific person. (At least,that's the theory behind passwords.)
Password‐guessing scripts became common years ago. These scripts would attempt to log in, using a
2/1/2016 Passwords: So Important, Yet So Misused | Passwords
http://www.informit.com/articles/printerfriendly/1338067 2/5
known ID and a word from a dictionary file as a potential password; tirelessly, patiently trying one wordafter another. These scripts could guess any password eventually. As an initial response, people begansubstituting punctuation characters for letters. The word "password" became "p@$$w0rd"—becausethat's not a dictionary word, right? Soon, vast dictionaries of "script kiddies" passwords were availablefor download. As a secondary response, operating system and application vendors began increasing thelength of acceptable passwords. For reasons we'll consider later, the old systems of eight uppercasecharacters for passwords was too limiting. Additionally, some vendors decided to implement a systemthat would lock the account after too many incorrect guesses, thereby rendering it useless to anattacker. Is this enough? Well, taken all together, here was the protection system:
Longer passwordsMore complex passwordsAccount lockup after too many incorrect guesses
These controls made passwords reasonably secure. Initially.
Permutations: Potentially Pleasing Passwords
The mathematics behind possible passwords are called permutations. It had been some time since I hadstudied permutations, but reading the "Windows Server 2008 Security Guide" reminded me. It explainsthe importance of password length, creating a larger pool of passwords to guess. Let's review thepermutation theory behind passwords.
TIP
If you're interested in network hardening, there's some great information in the Microsoft podcast"Hardening Windows Server 2008 Deployments with the Windows Server 2008 Security Guide."
We want a password that's very difficult to guess yet reasonably easy to remember. Let's start with asimplistic password, three letters long (English) and uppercase letters only. Because our password canrepeat letters and combinations, we can express the potential number of passwords as 26 (the numberof letters in the English alphabet) to the third power (263). The result, 17,576 passwords, sounds like alot of potential passwords, but today's very fast computers can blitz through those combinations inrecord time.
But what happens when we add a few letters to our password? Let's continue with those uppercaseletters only, but let's make it a six‐character password. That gives us 308,915,776 potential passwords,if my Windows calculator gets it right. Doubling the password length increases the number of potentialpasswords by a factor of over 17,000! Long passwords clearly are better than short ones.
Of course, those 308,915,776 passwords can be cracked more quickly if you're someone whosepassword is slightly guessable. Live in Chicago and use "DaBears" (your favorite football team's popularnickname) as your password? You're asking for a quick compromise of your account.
2/1/2016 Passwords: So Important, Yet So Misused | Passwords
http://www.informit.com/articles/printerfriendly/1338067 3/5
Let's improve even more on password length by creating a password consisting of both uppercase andlowercase letters. That gives us 52 total characters. Even our three‐character password now has140,608 potential passwords! That increases the potential passwords by a factor of eight, withoutstruggling to remember more letters. Add some of the eight "$peci@l" characters that some passwordsystems accept as valid, and now we can use 60 potential characters. With a three‐character password,this provides us with 216,000 possible passwords. Review this math carefully: Adding eight morepotential characters gives us a little more than 150% more passwords, even with a three characterminimum password. And if we go to an eight‐character minimum and 60 potential characters, we havea possible 167,961,600,000,000 passwords.
So what can we conclude? Choosing short, predictable, and simplistic‐character passwords is bad. Withjust a little work, adding in some special characters and creating a longer password, we can make thehacker's job much more difficult. Avoiding predictable values (your town's favorite sports team, forexample) can make the password even more difficult to crack.
In fact, you can e‐x‐p‐a‐n‐d your passwords by creating and using passphrases. Let's face it, "E3lif&lsk"can be a bit difficult to remember. Now consider this passphrase, which is acceptable on many modernoperating systems: "MoronsCrackPasswordsThatDoNotMatter!" Sure, that's a lot of typing, but it willsurvive a few brute‐force attacks. Under most multiuser attacks, your account will stand long enough toconvince the attacker to focus on the administrator's account—the one using "happiness" as itspassword. (This was the password the Twitter administrator used. This simple password and the lack ofaccount lockup helped the hacker. A lot.)
Now that we have a world full of websites that implement security inconsistently, we all need to reviewsite security carefully. You don't want to become (or remain) a member of a site that has lousy securitypolicies. If you use the same or similar passwords on all websites, the website with the poorestpassword abilities will force you to have a lowest‐common‐denominator password, significantlyweakening your security across the Internet.
Even keeping different passwords can have its issues, though. If you have an email account on a systemwith poor password abilities, that still weakens your security a great deal. How? Many websites sendpassword‐reset email to your email account. So if your email can be compromised, that email accountcould be used to receive password reset notices—ironically, for those accounts that have strongerpassword policies. A weak password scheme trumps stronger schemes every time.
Potential Password Problems: Signs That It's Time to Move On
Before joining or remaining with an Internet site, review its password security practices and abilities.
Is the password sent over an encrypted connection? It does you little good to create anunguessable password if it will be sent across the Internet unencrypted. Find out whetherencryption is used with the application.What is the password's minimum and maximum length? Beware of websites and applicationsthat don't insist on a minimum length, or that declare a maximum password length in the singledigits.What characters does the site support? Is the password limited to uppercase or lowercase? Arepunctuation characters allowed in the password? If not, these limitations may corral you intousing passwords that are more guessable than you intend.
2/1/2016 Passwords: So Important, Yet So Misused | Passwords
http://www.informit.com/articles/printerfriendly/1338067 4/5
Are the password‐reset challenge questions predictable or easily researched? Once thechallenge answers are guessed, what can the attacker do? Vice‐presidential candidate SarahPalin's Yahoo! account was cracked because the hacker simply learned all he could about her.Thus, he was able to answer all of her challenge questions and then take control of her account.
CAUTION
Consider carefully whether you should share so much of "you" with the entire Internet. Inthe old days, hackers were good at asking you to take surveys that would ask your children'snames, favorite sports teams, and so on. Why? These were likely passwords. As you goonline (and reveal every detail in your life), you allow people to guess your challenge‐question answers, (or at least claim to be you when talking to Help Desk staff half a worldaway).
What was the color of your favorite car—and why was it red? (Many people prefer red as avehicle color. Some answers to questions are pretty easy to guess.)
Is the account locked if too many incorrect responses are given? Beware of assuming that thisfeature is implemented and that it will work. Many systems cannot implement a persistentcounter, so hacker tools take two tries at your password and then skip to another account. Whenthe tool returns to hacking your ID and password, will the system "remember" the past twoincorrect guesses?What are the password‐reset mechanics? Is the password reset sent to an email account withlousy password policies? In today's dispersed web world, even account lockup is not the panaceait once was.Is the account lockup permanent or temporary? I've got good news and bad news for you. Goodnews: Your account is locked. Bad news: The lockout resets automatically after 20 seconds—enough time for the script to work on three other accounts before trying your account again.
Discouraged? You Should Be.
Despite having excellent functionality with websites, we're still compelled to use passwords. Passwordsare very easy to break or guess, because people choose simplistic values. Even those applications withaccount lockup features often create breakable backdoors with ineffective challenge questions orcheesy temporary timeouts. In response, the best you can do is this:
Use complex passphrases whenever possible.Ensure that password‐reset functionalities are lined up to use your email account with the best,most secure password policies.
© 2016 Pearson Education, Informit. All rights reserved.
2/1/2016 Passwords: So Important, Yet So Misused | Passwords
http://www.informit.com/articles/printerfriendly/1338067 5/5
800 East 96th Street, Indianapolis, Indiana 46240
